Begin implementation of new daemon authentication scheme

2017-09-23 20:45:25 -05:00 · 2017-09-23 20:45:25 -05:00 · 906a699ee2
commit 906a699ee2
parent 8722571037
23 changed files with 796 additions and 145 deletions
--- a/app/Http/Controllers/API/Remote/ValidateKeyController.php
+++ b/app/Http/Controllers/API/Remote/ValidateKeyController.php
@ -0,0 +1,90 @@
+<?php
+/*
+ * Pterodactyl - Panel
+ * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace Pterodactyl\Http\Controllers\API\Remote;
+
+use Spatie\Fractal\Fractal;
+use Pterodactyl\Http\Controllers\Controller;
+use Illuminate\Contracts\Foundation\Application;
+use Illuminate\Foundation\Testing\HttpException;
+use League\Fractal\Serializer\JsonApiSerializer;
+use Pterodactyl\Transformers\Daemon\ApiKeyTransformer;
+use Pterodactyl\Contracts\Repository\DaemonKeyRepositoryInterface;
+
+class ValidateKeyController extends Controller
+{
+    /**
+     * @var \Illuminate\Contracts\Foundation\Application
+     */
+    protected $app;
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\DaemonKeyRepositoryInterface
+     */
+    protected $daemonKeyRepository;
+
+    /**
+     * @var \Spatie\Fractal\Fractal
+     */
+    protected $fractal;
+
+    /**
+     * ValidateKeyController constructor.
+     *
+     * @param \Illuminate\Contracts\Foundation\Application                   $app
+     * @param \Pterodactyl\Contracts\Repository\DaemonKeyRepositoryInterface $daemonKeyRepository
+     * @param \Spatie\Fractal\Fractal                                        $fractal
+     */
+    public function __construct(
+        Application $app,
+        DaemonKeyRepositoryInterface $daemonKeyRepository,
+        Fractal $fractal
+    ) {
+        $this->app = $app;
+        $this->daemonKeyRepository = $daemonKeyRepository;
+        $this->fractal = $fractal;
+    }
+
+    /**
+     * Return the server(s) and permissions associated with an API key.
+     *
+     * @param string $token
+     * @return array
+     *
+     * @throws \Illuminate\Foundation\Testing\HttpException
+     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     */
+    public function index($token)
+    {
+        if (! starts_with($token, 'i_')) {
+            throw new HttpException(501);
+        }
+
+        $key = $this->daemonKeyRepository->getKeyWithServer($token);
+
+        return $this->fractal->item($key, $this->app->make(ApiKeyTransformer::class), 'server')
+            ->serializeWith(JsonApiSerializer::class)
+            ->toArray();
+    }
+}
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -2,7 +2,9 @@

 namespace Pterodactyl\Http;

+use Pterodactyl\Http\Middleware\DaemonAuthenticate;
 use Illuminate\Foundation\Http\Kernel as HttpKernel;
+use Illuminate\Routing\Middleware\SubstituteBindings;

 class Kernel extends HttpKernel
 {
@ -43,6 +45,10 @@ class Kernel extends HttpKernel
            'throttle:60,1',
            'bindings',
        ],
+        'daemon' => [
+            \Pterodactyl\Http\Middleware\Daemon\DaemonAuthenticate::class,
+            SubstituteBindings::class,
+        ],
    ];

    /**
@ -57,7 +63,7 @@ class Kernel extends HttpKernel
        'server' => \Pterodactyl\Http\Middleware\ServerAuthenticate::class,
        'subuser' => \Pterodactyl\Http\Middleware\SubuserAccessAuthenticate::class,
        'admin' => \Pterodactyl\Http\Middleware\AdminAuthenticate::class,
-        'daemon' => \Pterodactyl\Http\Middleware\DaemonAuthenticate::class,
+        'daemon-old' => DaemonAuthenticate::class,
        'csrf' => \Pterodactyl\Http\Middleware\VerifyCsrfToken::class,
        'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
        'can' => \Illuminate\Auth\Middleware\Authorize::class,
--- a/app/Http/Middleware/Daemon/DaemonAuthenticate.php
+++ b/app/Http/Middleware/Daemon/DaemonAuthenticate.php
@ -0,0 +1,82 @@
+<?php
+/*
+ * Pterodactyl - Panel
+ * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace Pterodactyl\Http\Middleware\Daemon;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Pterodactyl\Contracts\Repository\NodeRepositoryInterface;
+use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
+
+class DaemonAuthenticate
+{
+    /**
+     * @var array
+     */
+    protected $except = ['daemon.configuration'];
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\NodeRepositoryInterface
+     */
+    protected $repository;
+
+    /**
+     * DaemonAuthenticate constructor.
+     *
+     * @param \Pterodactyl\Contracts\Repository\NodeRepositoryInterface $repository
+     */
+    public function __construct(NodeRepositoryInterface $repository)
+    {
+        $this->repository = $repository;
+    }
+
+    /**
+     * Check if a request from the daemon can be properly attributed back to a single node instance.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure                 $next
+     * @return mixed
+     *
+     * @throws \Symfony\Component\HttpKernel\Exception\HttpException
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        $token = $request->bearerToken();
+
+        if (is_null($token)) {
+            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
+        }
+
+        try {
+            $node = $this->repository->findFirstWhere([['daemonSecret', '=', $token]]);
+        } catch (RecordNotFoundException $exception) {
+            throw new HttpException(403);
+        }
+
+        $request->attributes->set('node.model', $node);
+
+        return $next($request);
+    }
+}
--- a/app/Http/Middleware/Server/ScheduleAccess.php
+++ b/app/Http/Middleware/Server/ScheduleAccess.php
@ -70,8 +70,8 @@ class ScheduleAccess
     * @param \Closure                 $next
     * @return mixed
     *
-     * @throws \Pterodactyl\Exceptions\DisplayException
-     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     * @throws \Symfony\Component\HttpKernel\Exception\HttpException
+     * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
     */
    public function handle($request, Closure $next)
    {
--- a/app/Http/Middleware/Server/SubuserAccess.php
+++ b/app/Http/Middleware/Server/SubuserAccess.php
@ -63,6 +63,7 @@ class SubuserAccess
     *
     * @throws \Pterodactyl\Exceptions\DisplayException
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
     */
    public function handle($request, Closure $next)
    {
--- a/app/Http/Middleware/ServerAuthenticate.php
+++ b/app/Http/Middleware/ServerAuthenticate.php
@ -82,6 +82,8 @@ class ServerAuthenticate
     *
     * @throws \Illuminate\Auth\AuthenticationException
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+     * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
     */
    public function handle(Request $request, Closure $next)
    {